OpenSkillIndex← back to search
claude-code

Aiwg cloud-forensics

AWS, Azure, and GCP forensic investigation covering audit logs, IAM review, storage access, network flows, and compute instance forensics

install
source · Clone the upstream repo
git clone https://github.com/jmagly/aiwg
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jmagly/aiwg "$T" && mkdir -p ~/.claude/skills && cp -r "$T/agentic/code/frameworks/forensics-complete/skills/cloud-forensics" ~/.claude/skills/jmagly-aiwg-cloud-forensics-1e2cc5 && rm -rf "$T"
manifest: agentic/code/frameworks/forensics-complete/skills/cloud-forensics/SKILL.md
source content

cloud-forensics

Investigates cloud environments for signs of compromise, data exfiltration, privilege escalation, and persistence. Parameterized by cloud provider. Adapts collection procedures to AWS CloudTrail, Azure Monitor/Activity Log, and GCP Cloud Audit Logs. Maps findings to MITRE ATT&CK Cloud techniques.

Triggers

Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description):

  • "CloudTrail" → AWS audit log analysis
  • "Activity Log" → Azure audit log analysis
  • "Cloud Audit Logs" → GCP audit log analysis
  • "IAM review" → cloud identity forensics

Purpose

Cloud forensics requires provider-specific tooling and log sources. An AWS investigation centers on CloudTrail and GuardDuty; Azure on Activity Logs and Defender for Cloud; GCP on Cloud Audit Logs and Security Command Center. This skill selects the appropriate collection path and produces a consistent findings document regardless of provider.

Behavior

When triggered, this skill:

  1. Identify cloud provider and configure access:

    • AWS: verify 
      aws sts get-caller-identity
      — record account ID, ARN, and user ID
    • Azure: verify 
      az account show
      — record subscription ID, tenant ID, and principal
    • GCP: verify 
      gcloud auth list
      and 
      gcloud config get-value project
    • Prompt for provider if not determinable from environment

  2. AWS — CloudTrail audit log collection:

    • List trails: 
      aws cloudtrail describe-trails
    • Check if logging is enabled on all trails and all regions
    • Pull recent management events: 
      aws cloudtrail lookup-events --max-results 1000
    • Flag high-risk event names: 
      CreateUser
      , 
      AttachUserPolicy
      , 
      PutRolePolicy
      , 
      AssumeRole
      , 
      GetSecretValue
      , 
      DeleteTrail
      , 
      StopLogging
      , 
      PutBucketPolicy
    • Check for CloudTrail log integrity validation status

  3. AWS — IAM review:

    • List all IAM users and check for access keys older than 90 days: 
      aws iam list-users
      + 
      aws iam list-access-keys
    • List users with 
      AdministratorAccess
      managed policy
    • List roles with trust policies allowing external principals or 
      *
      in Principal
    • Check for recently created or modified IAM entities (within investigation window)
    • Download and analyze credential report: 
      aws iam generate-credential-report && aws iam get-credential-report

  4. AWS — storage and data access:

    • List S3 buckets with public access settings: 
      aws s3api get-public-access-block --bucket <name>
    • Check for buckets with server access logging disabled
    • Review recent S3 data events in CloudTrail if data event logging is enabled
    • Check Secrets Manager and SSM Parameter Store access events

  5. Azure — Activity Log collection:

    • Pull activity log for the investigation window: 
      az monitor activity-log list --start-time <ISO8601> --end-time <ISO8601>
    • Flag high-risk operations: role assignment creation, policy assignments, key vault access, storage account key rotation, VM disk snapshots
    • Check Defender for Cloud alerts: 
      az security alert list

  6. Azure — IAM (RBAC) review:

    • List Owner and Contributor role assignments at subscription scope: 
      az role assignment list --include-classic-administrators
    • Flag service principals with no associated application or with expired credentials
    • Check for recently created managed identities

  7. GCP — Cloud Audit Log collection:

    • Query Admin Activity logs: 
      gcloud logging read 'logName:"cloudaudit.googleapis.com/activity"' --limit=1000
    • Query Data Access logs if enabled
    • Flag: 
      SetIamPolicy
      , 
      CreateServiceAccountKey
      , 
      ActAs
      , 
      signBlob
      , bucket ACL changes
    • Check Security Command Center findings: 
      gcloud scc findings list <organization_id>

  8. GCP — IAM review:

    • List project-level IAM bindings: 
      gcloud projects get-iam-policy <project>
    • Flag roles/owner and roles/editor at project or folder scope
    • List service account keys and flag keys older than 90 days
    • Check for allUsers or allAuthenticatedUsers bindings on any resource

  9. Compute instance forensics (all providers):

    • List running instances with metadata (creation time, last started, associated IAM role/service account)
    • Flag instances with public IP addresses that have inbound rules permitting 0.0.0.0/0 on sensitive ports
    • Check for recently created disk snapshots (potential exfiltration staging)
    • Review instance serial console output or boot logs where available

  10. Network flow log review:

    • AWS: pull VPC Flow Logs for unusual outbound traffic patterns from targeted instances
    • Azure: pull NSG Flow Logs
    • GCP: pull VPC Flow Logs
    • Flag large data transfers, connections to known-bad IPs, and unusual destination ports

  11. Write findings document:

    • Save to 
      .aiwg/forensics/findings/cloud-<provider>-forensics.md
    • Sections: identity findings, logging gaps, data access anomalies, network anomalies, persistence indicators

Usage Examples

Example 1 — AWS

aws investigation

Uses the currently configured AWS CLI profile.

Example 2 — GCP with project

gcp forensics --project my-project-id

Example 3 — Azure

azure forensics --subscription 00000000-0000-0000-0000-000000000000

Output Locations

  • Findings: 
    .aiwg/forensics/findings/cloud-<provider>-forensics.md
  • Raw IAM report: 
    .aiwg/forensics/evidence/cloud-<provider>-iam.json
  • Audit log export: 
    .aiwg/forensics/evidence/cloud-<provider>-audit.json

Configuration

cloud_forensics:
  investigation_window_hours: 72
  high_risk_aws_events:
    - CreateUser
    - AttachUserPolicy
    - PutRolePolicy
    - DeleteTrail
    - StopLogging
    - GetSecretValue
  key_age_threshold_days: 90
  flag_public_instances: true

References

  • @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/research-before-decision.md — Verify provider identity and access before collection; detect available log sources
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/evidence-integrity.md — Export and hash cloud artifacts before analysis; record snapshot IDs in custody log
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/red-flag-escalation.md — Escalate when CloudTrail tampering (StopLogging, DeleteTrail) or active IAM privilege escalation is found
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/evidence-preservation/SKILL.md — Cloud evidence (snapshots, log exports) must be preserved per custody procedures
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/ioc-extraction/SKILL.md — Extract IOCs (suspicious IPs, ARNs, service principal IDs) from cloud audit log findings